The Office of Management and Budget is directing federal agencies to adopt new guidance on how to protect their most valuable information.
In a new memorandum issued Monday, OMB provided updates on how agencies manage their high-value assets — data and information on federal IT systems whose unauthorized disclosure would negatively impact the government.
The memo, M-19-03, reclassifies HVAs from a single definition into three categories that provide agencies more flexibility in designating the protections needed and spells out the steps for reporting, assessing and remediating those assets against the threat of a cyberattack.
“With the dynamic adversarial threat to the security and resilience of HVAs, it is essential that the initiative evolve to take a more comprehensive view of the risk to the federal enterprise and the measures available to mitigate those risks,” said OMB Director Mick Mulvaney in the memo. “As such, the HVA program is expanding to support all agencies, including both CFO Act and non-CFO Act agencies, in HVA identification, assessment, remediation and response to incidents.”
The memo designates those HVAs in three categories:
- Informational Value – The information or information system that processes, stores or transmits the information is of high value to the government or its adversaries.
- Mission Essential – The agency that owns the information or information system cannot accomplish its Primary Mission Essential Functions (PMEF), as approved in accordance with Presidential Policy Directive 40 (PPD-40) National Continuity Policy, within expected timelines without the information or information system.
- Federal Civilian Enterprise Essential (FCEE) – The information or information system serves a critical function in maintaining the security and resilience of the federal civilian enterprise.
Agencies can apply one or more definition to each of their HVAs, but OMB and the Department of Homeland Security can also apply those designations to agency assets, depending on their national security impact.
OMB also calls on agencies to take steps to report all of their HVAs to DHS officials as part of the asset program, to continually provide assessments that ensure the IT systems managing those assets meet DHS security and privacy requirements, and develop remediation plans in response to those assessments.
The memo stipulates that within a year of sending their assessments to DHS agencies must “develop plans to update the technology or architecture of those HVAs for which the corrective action is attributed to obsolete or unsupported technology or critical deficiencies in the solution architecture.”
Agencies will send their remediation plans to both DHS and their OMB Resource Management Offices, as well as identify any impediments in policy, resource allocation, workforce or operations.
OMB officials again strongly encouraged agencies to maximize the use of shared IT services, cloud architectures and data-level protections to address asset protection gaps, mirroring language in past modernization policies.
Agencies are also expected to ensure the security of the assets themselves, including installing systems security engineering principles laid out in NIST SP 800-160, Volume 1. The memo also directs agency privacy officers to monitor protection compliance related to HVAs containing personally identifiable information.
The move follows the 2017 cybersecurity executive order that called for the federal government to bolster its network defenses through IT modernization and augments policy crafted in the wake of the 2015 Office of Personnel Management cyber breach.